The behavior of the
gatekeeper
is determined by the command line
options and configuration file. Some command line options may override
a setting from the configuration file.
For example, the option -l
overrides the setting TimeToLive
in the configuration file.
Almost every option has a short and a long format, e.g.,
-c
is the same as --config
.
-h --help
Show all available options and quit the program.
-c --config filename
Specify the configuration file to use.
-s --section section
Specify which main section to use in the configuration file. The default is [Gatekeeper::Main].
-l --timetolive n
Specify the time-to-live timer (in seconds) for endpoint registration.
Overrides the setting TimeToLive
in the configuration file.
See
there for detailed explanations.
-b --bandwidth n
Specify the total bandwidth available for the gatekeeper in units of 100 bits per second. Without this option, bandwidth management is disabled.
--pid filename
Specify the pid file. Only valid for Unix version.
-u --user name
Run the gatekeeper process as this user. Only valid for Unix version.
--core n
Enable writing core dump files when the application crashes. A core dump file will not exceed n bytes in size. A special constant "unlimited" may be used to not enforce any particular limit. Only valid on Linux.
The options in this subsection override the settings in the [RoutedMode] section of the configuration file.
-d --direct
Use direct endpoint call signaling.
-r --routed
Use gatekeeper routed call signaling.
-rr --h245routed
Use gatekeeper routed call signaling and H.245 control channel.
-o --output filename
Write trace log to the specified file.
-t --trace
Set trace verbosity. Each additional -t
adds additional verbosity to the output.
For example, use -ttttt
to set the trace level to 5.
The GNU Gatekeeper configuration file is a standard text file. The basic format is:
[Section String]
Key Name=Value String
Comments are marked with a hash (#
) or a semicolon (;
)
at the beginning of a line.
The file
complete.ini
contains all available sections for GnuGk.
In most cases it doesn't make sense to use them all at once.
The file is just meant as a collection of examples for many settings.
The configuration file can be changed at run time.
Once you modify the configuration file, you may issue the reload
command
via the status port, or send the HUP
signal to the gatekeeper process:
kill -HUP `cat /var/run/gnugk.pid`
All GnuGk modules that use a database (eg. [SQLAuth], [SQLAcct] etc.) support a common set of configuration parameters that is described here. You have to repeat all settings for each module, even if they are the same. But you are also free to use differend database drivers and options for each module.
Driver=MySQL | PostgreSQL | Firebird | ODBC | SQLite
N/A
Database driver to use. Currently, MySQL
, PostgreSQL
, Firebird
,
ODBC
and SQLite
drivers are implemented.
Not all of these driver are always available. When GnuGk is compiled, only those
drivers are included where the necessary database libraries and header files are
available. When you start GnuGk, you can see in the version string which drivers
are included in your executable.
At runtime, GnuGk will load the shared library (DLL) for the database you have configured.
GnuGk supports version 3 of SQLite.
Make sure your database is configured to support password-based authentication - Microsoft SQL Server must use "Mixed Mode" for this feature to function properly.
Library=c:/Program Files/Mysql/libmysql.dll
N/A
If the shared library or DLL is not found automatically, you can set a different filename here or provide an absolute path to the library.
Host=DNS[:PORT] | IP[:PORT]
localhost
SQL server host address. Can be in the form of DNS[:PORT]
or IP[:PORT]
.
Like sql.mycompany.com
or sql.mycompany.com:3306
or 192.168.3.100
.
The ODBC driver will ignore this setting.
Database=billing
N/A
The database name to connect to.
To connect to an ODBC data source from a Windows server, create the data source though Control Panel / Administrative Tools / Data Sources (ODBC) and add a System DSN. Use the name of the System DSN in GnuGk's Database= setting.
To connect to an ODBC data source from a Unix server, use a DSN definition for unixODBC of the form DSN=GnuGk;UID=admin;PWD=secret;
in GnuGk's Database= setting. GnuGk's Usename= and Password= settings will be ignored in this case, but should be present.
Username=gnugk
The username used to connect to the database.
Password=secret
The password used to connect to the database.
If the password is not specified, a database connection attempt
without any password will be made.
If EncryptAllPasswords
is enabled, or a KeyFilled
variable is defined
in this section, the password to connect to the database is in an encrypted form and should be created using
the addpasswd
utility.
MinPoolSize=5
1
Define the number of active SQL connections. This allows for better performance
under heavy load, because more than 1 concurrent query can be executed
at the same time. Setting MinPoolSize=1
will simulate the old behavior,
when access to the SQL database was serialized (one query at time).
Don't let the name fool you, this is the exact number of connections.
Many SQL modules provide a set of placeholders that you can use in your queries, like %{CallId} in SqlAcct.
Placeholders allways start with the percent sign. Beware that you must escape the percent sign if you need it for something else in your queries (eg. in a LIKE). One way to do so is to use CHAR(37), eg. concat(alias,CHAR(37)) instead of concat(alias,'%').
Stored procedures work very well when using MySQL.
When using ODBC, you can not call stored procedures which use parameters using the "CALL ProcedureName" syntax, but you can call them with "EXEC ProcedureName".
In a few places in the configuration file, GnuGk allows regular expressions. The syntax for these regular expressions is "extended POSIX 1003.2 regular expressions". On Unix systems you can usually get a manual page explaining the syntax with "man 7 regex" or see it online at http://www.kernel.org/doc/man-pages/online/pages/man7/regex.7.html.
Name=GnuGk
OpenH323GK
Gatekeeper identifier of this gatekeeper. The gatekeeper will only respond to GRQs for this ID and will use it in a number of messages to its endpoints.
EnableIPv6=1
0
If GnuGk has been compiled with IPv6 support, you can use this switch to turn it on.
Home=192.168.1.1
listen to all IPs
The gatekeeper will listen for requests on this IP address. If not set, the gatekeeper will listen on all IPs of your host. Multiple Home addresses can be used and must be separated with a semicolon (;) or comma (,).
NetworkInterfaces=192.168.1.1/24,10.0.0.1/0
N/A
Specify the network interfaces of the gatekeeper. By default the gatekeeper will automatically detect the interfaces of your host, so this setting is not usually required, but is available if automatic detection fails. If you are using GnuGk behind a NAT box then you should use the ExternalIP setting (described below) which will automatically configure GnuGk to operate as if it was on the NAT box. The ExternalIP setting will take precedence and will override this value.
NOTE: If this setting is changed, you must restart the gatekeeper. A reload from the status port will not cause this value to be re-read.
Bind=192.168.1.1
N/A
Specify the IP address for default routing. Use this to specify which default IP address to use in a multihomed virtual environment where there may be many virtual interfaces on one host.
EndpointIDSuffix=_gk1
_endp
The gatekeeper will assign a unique identifier to each registered endpoint. This option can be used to specify a suffix to append to the endpoint identifier. This is only useful when using more than one gatekeeper. This setting doesn't change when the config is reloaded!
TimeToLive=300
-1
An endpoint's registration with a gatekeeper may have a limited life span. The gatekeeper specifies the registration duration for an endpoint by including a timeToLive field in the RCF message. After the specified length of time, the registration is considered expired. The endpoint must periodically send a RRQ having the keepAlive bit set prior to the expiration time. Such a message may include a minimum amount of information as described in H.225.0 and is known as a lightweight RRQ.
The endpoint may request a shorter timeToLive in the RRQ message to the gatekeeper.
To avoid an overload of RRQ messages, the gatekeeper automatically resets this timer to 60 seconds if you specify a lower value.
After the expiration time, the gatekeeper will make two attempts using IRQ messages to determine if the endpoint is still alive. If the endpoint responds with an IRR, the registration will be extended. If not, the gatekeeper will send a URQ with reason ttlExpired to the endpoint. The endpoint must then re-register with the gatekeeper using a full RRQ message.
To disable this feature, set it to -1
.
EnableTTLRestrictions=0
1
The default TimeToLive (TTL) configured via the "TimeToLive" parameter does not apply to endpoints which use the H.460.17 and H.460.18 protocols to traverse a firewall. In order to keep the firewall pinhole open the TimeToLive for those endpoints defaults to 19 seconds. The "TimeToLive" parameter would allow you to change this to as low as 5 seconds, and as high as 30 seconds.
If you know for sure that there is no need for a keep-alive, you can disable these restrictions by setting this switch to 0. If TTL restrictions are disabled, the TimeToLive becomes a global setting for all endpoints, including H.460.17 and H.460.18.
CompareAliasType=0
1
By default, a H323ID of '1234' won't match E164 number '1234' when comparing aliases. This parameter allows you to ignore the alias type when performing comparisons.
CompareAliasCase=0
1
By default, alias 'jan' won't match alias 'Jan'. If set to false, the comparison will not be case sensitive.
TraceLevel=2
0
Set trace level (same as -t on the command line).
TotalBandwidth=100000
-1
Total bandwidth available for all endpoints in units of 100 bits per second (eg. 5120 means 512 kbps). By default this feature is off (-1).
NOTE: At this time, the GnuGk only checks calls to and from registered endpoints.
MinimumBandwidthPerCall=1280
-1
Raise bandwidth requests from endpoints to at least this value in units of 100 bits per second. The value includes both directions, so a 384 kbps call would have a value of 7680. Setting a minimum is useful when endpoints don't report correct values (eg. Netmeeting). If set to zero or less, no minimum is enforced (default).
NOTE: At this time, the GnuGk only checks calls to and from registered endpoints.
MaximumBandwidthPerCall=100000
-1
Set maximum bandwidth allowed for a single call in units of 100 bits per second. If set to zero or less, no maximum is enforced (default).
NOTE: At this time, the GnuGk only checks calls to and from registered endpoints.
RedirectGK=Endpoints > 100 | Calls > 50
N/A
This option allow you to redirect endpoints to alternate gatekeepers if the gatekeeper becomes overloaded. In the example above, the gatekeeper will reject a RRQ if the number of registered endpoints would exceed 100, or reject an ARQ if concurrent calls exceed 50.
Furthermore, you may explicitly redirect all endpoints by
setting this option to temporary
or permanent
.
The gatekeeper will send a RAS rejection message with a list of
alternate gatekeepers defined in AlternateGKs
.
Note that a permanent
redirection means that the redirected endpoints
will not register with this gatekeeper again.
NOTE: The redirect capability will only function with H.323 version 4
compliant endpoints.
AlternateGKs=1.2.3.4;1719;false;120;GnuGk
N/A
If the endpoint loses connectivity with GnuGk it should automatically try to register with the alternate gatekeeper specified here.
NOTE: Depending on the endpoint, it may not attempt to re-establish a connection to its original gatekeeper. Support for "Assigned Gatekeepers" was added in H.323v6. See http://www.packetizer.com/ipmc/h323/whatsnew_v6.html for additional information.
The primary gatekeeper includes a field in the RCF to inform endpoints which alternate IP and gatekeeper identifier to use.
The alternate gatekeeper needs to be aware of all registrations on the primary gatekeeper or else it would reject calls. Our gatekeeper can forward every RRQ to an alternate IP address.
The AlternateGKs config option specifies the fields contained in the primary gatekeeper's RCF. The first and second fields of this string define where (IP, port) to forward to. The third tells endpoints whether they need to register with the alternate gatekeeper before placing calls. They usually don't because we forward their RRQs, so they are automatically known to the alternate gatekeeper. The fourth field specifies the priority for this gatekeeper. Lower is better; usually the primary gatekeeper is considered to have priority 1. The last field specifies the alternate gatekeeper's identifier.
You may specify multiple alternate gatekeepers as a comma separated list.
This global definition can be overriden by a per IP specification in [RasSrv::AlternateGatekeeper].
NOTE: In older versions of GnuGk, the fields were separated by colons. Since version 2.3.3 this is deprecated and you must change your configurations to use semicolons.
SendTo=1.2.3.4:1719
N/A
Although this information is contained in AlternateGKs, you must still specify which address to forward RRQs to. This might differ from AlternateGK's address due to multihomed systems, so it's a separate config option.
You can specify multiple gatekeepers in a comma separated list.
SkipForwards=1.2.3.4,5.6.7.8
N/A
To avoid circular forwarding, you shouldn't forward RRQs you get from the other gatekeeper (this statement is true for both primary and alternate gatekeeper). Two mechanisms are used to identify whether a request should be forwarded. The first one looks for a flag in the RRQ. Since few endpoints implement this, we can increase the overall reliability of the system by specifying it here.
Specify the other gatekeeper's IP in this list.
StatusPort=7000
7000
Status port to monitor the gatekeeper. See this section for details.
The GNU Gatekeeper will listen to the status port on all IPs it is listening for call signaling. You should protect those ports in your firewall and set access control rules in the [GkStatus::Auth] section for those you can't close completely.
StatusTraceLevel=2
2
Default output trace level for new status interface clients. See this section for details.
MaxStatusClients=5
20
Specifies the maximum number of concurrent connections on the status port. To disable any connections to the status port, set this switch to 0.
SshStatusPort=1
0
Use the SSH protocol for the status port. User passwords can be set in the [GkStatus::Auth] section.
TimestampFormat=ISO8601
Cisco
This setting configures the default format of timestamp strings generated by the gatekeeper.
This option affects
[SQLAcct],
[RadAcct],
[FileAcct]
and other modules, but not
[CallTable].
You can further customize timestamp formatting per module by configuring the
TimestampFormat
setting in the module-specific configuration portion of the config file.
There are four predefined formats:
RFC822
- a default format used by the gatekeeper (example: Wed, 10 Nov 2004 16:02:01 +0100)ISO8601
- standard ISO format (example: 2004-11-10 T 16:02:01 +0100)Cisco
- format used by Cisco equipment (example: 16:02:01.534 CET Wed Nov 10 2004)MySQL
- simple format that MySQL can understand (example: 2004-11-10 16:02:01)If none of the predefined options is suitable, you can build your own format string using
rules from the strftime
C function (see man strftime or search MSDN for strftime).
In general, the format string consists of regular character and format codes, preceded
by a percent sign. Example: "%Y-%m-%d and percent %%" will result in "2004-11-10 and percent %".
Some common format codes:
%a
- abbreviated weekday name%A
- full weekday name%b
- abbreviated month name%B
- full month name%d
- day of month as decimal number%H
- hour in 24-hour format%I
- hour in 12-hour format%m
- month as decimal number%M
- minute as decimal number%S
- second as decimal number%y
- year without century%Y
- year with century%u
- microseconds as decimal number (this is a GnuGk extension)%z
- time zone abbreviation (+0100)%Z
- time zone name%%
- percent signEncryptAllPasswords=1
0
Enable encryption of all passwords in the config (SQL passwords, RADIUS
passwords, [Password] passwords, [GkStatus::Auth] passwords). If enabled,
all passwords must be encrypted using the addpasswd
utility. Otherwise
only [Password] and [GkStatus::Auth] passwords are encrypted (old behavior).
KeyFilled=0
N/A
Define a global padding byte to be used during password encryption/decryption.
It can be overridden by setting KeyFilled
within a particular config section.
Usually, you do not need to change this option.
Most users will never need to change any of the following values. They are mainly used for testing or very sophisticated applications.
UseBroadcastListener=0
1
Defines whether to listen to broadcast RAS requests. This requires binding to all interfaces on a machine, so if you want to run multiple gatekeepers on the same machine you should turn this off.
UnicastRasPort=1719
1719
The RAS channel TSAP identifier for unicast.
UseMulticastListener=0
1
Enable or disable gatekeeper discovery using multicast. By default it is enabled.
MulticastPort=1718
1718
The RAS channel TSAP identifier for multicast.
MulticastGroup=224.0.1.41
224.0.1.41
The multicast group for the RAS channel.
EndpointSignalPort=1720
1720
Default port for call signaling channel of endpoints. Used when searching for endpoints in the registration table when the actual call signaling port is unknown.
ListenQueueLength=1024
1024
Queue length for incoming TCP connection.
StatusWriteTimeout=5000
5000
Time in milliseconds for write timeout on status channel.
ExternalIP=myip.no-ip.com
N/A
When using GnuGk behind a NAT you can set the external IP address that you wish the gatekeeper to masquerade as. This will allow external endpoints and other gatekeepers to contact the NATed gatekeeper. To work you must enable proxy-mode and port forward the required ports to the gatekeeper IP or put the gatekeeper in the NAT box DMZ. This is different than the bind setting, which specifies a physical IP address on the GnuGk box.
You may specify an IP address or a fully-qualified domain name (FQDN). If
you use a FQDN and ExternalIsDynamic
is set to false, it will be
resolved to an IP address on startup or configuration reload. If
ExternalIsDynamic
is set to true, the name will be stored and
resolved when needed.
ExternalIsDynamic=1
0
Configures the GnuGk to support an external dynamic address. If enabled,
GnuGk will ensure that the Dynamic DNS (DDNS) service receives keep-alive
messages to maintain your DDNS name lease. You must also configure the
ExternalIP
setting with a DNS address maintained by a DDNS service
such as www.dyndns.com or www.no-ip.com.
DefaultDomain=gnugk.org,gnugk.de
N/A
If the GnuGk receives a request for an address in the format
user@domain.com, this option will strip the domain from the address
if it matches the DefaultDomain
setting and will then process the
request using just the "user" field. This is useful when receiving
interdomain calls placed via SRV routing policy where the full URI is
received. It can also be used in conjunction with the
[RasSrv::RewriteAlias] section to convert the received URI into an E.164
number for further processing and routing.
Authenticators=H.235.1,CAT
H.235.1,MD5,CAT
Selects the specific authenticators to use when authenticating endpoints. The default options are: H.235.1 (HMAC SHA1 / old H235AnnexD), MD5 (Digest Authentication) and CAT (Cisco Access Tokens ie RADIUS). Setting a value of NONE will disable authenticators. The order indicates the priority of the authentication mechanism. If this setting is omitted, all authenticators are loaded by default. If you are using plugin authenticators, then you may want to disable the default authenticators to provide optimum security. Note: H.235.1 requires OpenSSL support compiled into GnuGk. This switch is only available if GnuGk is compiled with H323Plus.
DisconnectCallsOnShutdown=0
1
GnuGk will disconnect all ongoing calls when it shuts down and will send an unregistration request to all endpoints. To override this default, set this parameter to "0". This switch is intended mainly for gatekeepers running in direct mode; in routed mode and proxy mode calls will still get disrupted when the gatekeeper shuts down.
MaxASNArraySize=400
128
EXPERIMENTAL: Sets the maximum number of elements in an ASN encoded array, eg. the max. number of aliases in a list. Versions of PTLib through v2.10.1 default to 128 elements. Beware of hitting the limits of other vendors if you increase this setting.
MaxSocketQueue=10000
100
Limit how many bytes to queue for a socket before it is considered dead and will be closed. This probably is only an issue with H.460.17.
TTLExpireDropCall=0
1
Set whether to drop a registration on TTL expiry even if there appears to be a current call for the endpoint. By default it will force the drop of the call before unregistering the endpoint. A situation may occur if there are bandwidth congestion, RRQ packets are being lost but an active call (likely causing the congestion) is still in progress. By enabling this switch the registration remains current until a RRQ is received or the apparent call either times out or is dropped.
Defines a number of rules regarding who is allowed to connect to the status port. Access to the status port provides full control over your gatekeeper. Ensure that this is set correctly. The status port is active on all IPs GnuGk listens to. You should block as many status ports in your firewall as your setup allows. If you rely on password rules to secure the status port, you should add additional IP based rules ('explicit' or 'regex') to limit the IP range where logins are allowed from.
rule=allow
forbid
Possible values are
forbid
- disallow any connection.allow
- allow any connectionexplicit
- reads the parameter ip=value
where ip
is the IP address of the client,
value
is 1,0
or allow,forbid
or yes,no
.
If ip
is not listed the parameter default
is used.regex
- the IP of the client is matched against the given regular expression.
To allow client from 195.71.129.0/24 and 195.71.131.0/24:
regex=^195\.71\.(129|131)\.[0-9]+$
password
- the user must provide an appropriate username and password to login. The format of username/password is the same as
[SimplePasswordAuth] section.
These rules may be combined with "|" (to specify a logical "OR") or "&" (for logical "AND"). For example,
rule=explicit | regex
explicit
or regex
rule.
rule=regex & password
regex
rule, and the user has to login by username and password.Using the SSH protocol for the status port implies that all users are authenticated by password, but you can impose additional IP rules eg. "regex & password".
default=allow
forbid
Only used when rule=explicit
.
DSAKey=
etc/ssh/ssh_host_dsa_keyssh_host_dsa_key (in current working directory)
Path for the file containing the DSA host key. (only used for SSH)
RSAKey=
etc/ssh/ssh_host_rsa_keyssh_host_rsa_key (in current working directory)
Path for the file containing the RSA host key. (only used for SSH)
Shutdown=forbid
allow
To allow the gatekeeper to be shutdown via status port.
DelayReject=5
0
Time (in seconds) to wait before rejecting an invalid username/password. Useful to insert a delay in brute-force attacks.
This section defines log file related parameters. Currently, it allows users to specify log file rotation options.
Filename=/var/log/gk_trace.log
N/A
Set the output filename for the log file (same as -o on the command line). On Windows, backslashes in the file name have to be escaped.
This setting doesn't change when the config is reloaded!
Rotate=Hourly | Daily | Weekly | Monthly
N/A
If set, the log file will be rotated based on this setting. Hourly rotation
enables rotation once per hour, daily - once per day, weekly - once per week
and monthly - once per month. An exact rotation moment is determined by a combination
of RotateDay
and RotateTime
variables. During rotation, an existing
file is renamed to CURRENT_FILENAME.YYYYMMDD-HHMMSS, where YYYYMMDD-HHMMSS
is replaced with the current timestamp, and new lines are logged to an empty
file. To disable rotation, do not configure the Rotate
parameter or set it to 0.
[LogFile]
Rotate=Hourly
RotateTime=45
Filename=/var/log/gk_trace.log
[LogFile]
Rotate=Daily
RotateTime=23:00
Filename=C:\\Logs\\GnuGk.log
[LogFile]
Rotate=Weekly
RotateDay=Sun
RotateTime=00:59
[LogFile]
Rotate=Monthly
RotateDay=31
RotateTime=23:00